Monday, June 11, 2007

Sharing out online liability: sharing files, sharing risks

My colleague Bob Clark has just published a very interesting article on legal implications of filesharing in the Journal of Intellectual Property Law & Practice. In comments that will be of particular interest to the 23 filesharers recently identified by the High Court, he suggests that the methods used by the music industry to monitor p2p networks might themselves be illegal:

The privacy interestWhen the issue of a rightholder's ability to compel disclosure of the details of the person standing behind an IP address arises, personal privacy arguments have not succeeded in either the Irish or Canadian courts. In contrast, it is widely reported that the French Data Protection Authority has ruled that the automated monitoring of users of P2P filesharing systems may not be permitted since it results in the accumulation of ‘a massive collection of personal data’, on the basis of exhaustive and continuous surveillance' of P2P sites that goes ‘beyond that which is necessary for the fight against piracy’. While the impact of the new French Copyright law remains to be assessed, the IFPI is optimistic that data protection law does not bar discovery of identity orders in French courts. The view of the English and Irish courts is that, because data protection legislation in each jurisdiction permits personal data to be obtained following court orders, as long as the rightholder uses a Norwich Pharmacal or similar civil procedure the ISP will be able to disclose personal data about suspected filesharers. In EMI v Eircom Kelly J said, of the rights of privacy:

"the statutory entitlements, whether they arise under the Data Protection legislation of the Postal and telecommunications legislation are subject to a provision which permits the confidentiality to be legitimately breached by an order of the Court."

While he conceded that the law did not prescribe the conditions under which an order may be made, the ‘necessity’ test vis-à-vis Norwich Pharmacal is flexible enough to afford a basis for such an order.

What may remain unexplored is the difficulty rightholders may have in some jurisdictions in collecting evidence. Case-law suggests that the standard methodology is to engage a US agency, MediaSentry, to monitor volume uses of MP3 files, taking a 10 minute snapshot of real time users in order to identify potentially infringing filesharers on a high volume basis. In BREIN, the collection of personal data by MediaSentry on behalf of BREIN was held unlawful, MediaSentry not having signed up to the EU/US Safe Harbor Agreement. The Utrecht Court's ruling was upheld on appeal on the basis of infringement of privacy by MediaSentry and because MediaSentry's software was not sophisticated enough to identify users or acts of infringement correctly. This manner in which information is collected was also considered in Sharman, when Wilcox J put it to the MediaSentry witness: ‘so what you are doing is, you are in effect spying on a person who is in the act of downloading’.

In the context of Irish law, intrusive methods of collecting data may be challengeable under the privacy provisions in the EU Telecommunications Data Protection Directive, as well as under the constitutional guarantee of privacy in respect of the communication of messages. It is also uncertain whether rightholders are illegally using telecommunications technology to intercept communications as MediaSentry, at the time of the interception, clearly had no authority to do this. Thus, one may need to distinguish between activities that employ privacy intrusive techniques to collect evidence (no legal process having yet taken place) and a subsequent court application to complete the chain of evidence, to secure the names and addresses of persons behind the IP address. In the former case, serious statutory and constitutional law issues may need to be addressed. Until more light is cast on the methods of data collection used initially to identify suspects by organizations such as MediaSentry, this uncertainty will remain.

Rightholders may be aware that some collection techniques are legally suspect. In November 2005, the Creative and Media Business Alliance attempted to persuade the members of the European Parliament to extend the draft Data Protection Directive to cover offences that arise from copyright infringement. This attempt failed, the lobbying being attacked as both an infringement of civil liberties and an attempt to transfer the cost of protecting copyright from well-funded industries to European taxpayers and telecoms subscribers.

3 comments:

The question remains though is a constitutional privacy shield really usable in situations where the 'common good and policy' potentially could trump the argument, and additionally is personal data actually placed as a stored requirement? I suggest that personal data is not in-fact stored under 2005 Act, but data that may lead to or be connected to, in some ancillary way a natural person. The ECHR is a waste of space to this end as well despite Copland v UK decision and ors.

is a constitutional privacy shield really usable in situations where the 'common good and policy' potentially could trump the argument

This may depend on the nature of the invasion of privacy. The article suggests that there is a distinction between the Eircom v. EMI scenario (narrow court ordered identification of specified users) and the broader MediaSentry approach (which is, in effect, an extra judicial fishing expedition), so that the courts may be willing to sanction one and not the other.

I suggest that personal data is not in-fact stored under 2005 Act, but data that may lead to or be connected to, in some ancillary way a natural person.

This depends on your concept of personal data and the purpose for which you're using that concept. Under data protection law the call details are clearly personal data in that they constitute "data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller". For the purposes of the ECHR and the Constitution, provided we can identify the persons making and receiving telephone calls, emails, etc. then it seems to me that we have an Article 8 privacy issue as well as an issue under our unenumerated right to privacy.